Microsoft Exchange Server 2007 : Components of a Secure Messaging Environment (part 4) - Establishing a Corporate Email Policy, Securing Groups

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

Establishing a Corporate Email Policy

Not all misuse of organizational email systems comes from external sources. Employees improperly utilizing a messaging system can put a company at risk as well, either by overloading the sytem, passing confidential data to nonauthorized personnel, or passing material that is offensive in nature, potentially exposing the organization to lawsuits from other personnel.

Established and documented corporate email policies are used to govern and enforce the appropriate use of the messaging environment. However, like most security policies, they cannot be effective if they are not created, approved, implemented, and communicated to the user community.


Corporate email policies not only define how the system can and should be used; they also limit an organization’s liability in the event of misuse.

The following are possible considerations and guidelines to include in the corporate email policy:

  • Personal usage— The policy should state whether emails of a personal nature are accepted and, if so, to what extent. Some companies place a limit on the number of personal emails that can be sent each day. Others require personal emails to be stored in a separate folder within the email system. Most companies allow the sending and receiving of personal emails because this is often less time consuming than requiring employees to access external mail sources for personal communications.

  • Expectation of privacy— A corporate email policy should plainly state that the messages contained within the system are the property of the organization, and that no expectation of privacy is implied. Email records can be subpoenaed, mailboxes can be reviewed for appropriate use, or data can be retrieved in the event of the termination of someone’s employment. By setting the expectation up front, you can make it clear to your users that the email system is a tool for their use, but the messages contained do not belong to them.

  • Email monitoring— If the organization monitors the content of its employees’ emails, this should be stated in the email policy. Most countries and states allow the monitoring of corporate email by authorized individuals, as long as the employee has been made aware of the policy.

  • Prohibited content— The policy should state that the email system is not to be used for the distribution of offensive or disruptive messages. This includes messages containing inappropriate content such as comments about race, religion, gender, or sexual orientation. The policy should also clearly state that pornographic pictures or emails with sexual content will not be tolerated, as these items are commonly the cause of offense between employees. The policy should mandate that employees receiving any such materials should report them to their supervisor or another appropriate entity for review immediately.

  • Confidential data— Employees should not use the messaging system to discuss sensitive matter, such as potential acquisitions or mergers. Corporate secrets or other proprietary data should not be sent either, as an inadvertent forward could allow the sensitive data to pass to inappropriate personnel.

  • Email retention policies— Many organizations, especially government, health-care, and financial institutions, are required by law to meet or exceed certain email retention policies. These policies should be clearly stated and meticulously enforced. Allowances should be made for employees to save messages of a critical nature—often companies allow them to be saved in separate folders to avoid automatic deletion.

  • Point of contact— The email policy should clearly state where employees can go to have any questions about the corporate email policy answered.

Bear in mind, a corporate email policy that is unknown to the user community is not an effective one. The policy should be distributed to the users in a variety of ways, such as posting on an intranet site, in employee handbooks, on break room bulletin boards, or in company newsletters.

Securing Exchange Server 2007 Through Administrative Policies

Whereas a corporate email policy specifically governs the use of the messaging system for users, administrative policies govern the operation and usage of the messaging system in general. Many best practices have been worked out over the years, some of which are as follows:

  • Administrative and operator accounts should not have mailboxes— Many viruses and email worms rely on the permissions of the authenticated user to perform. If the user opening the message has administrative access to the computer, there is a much greater potential for danger.

  • Grant permissions to groups rather than users— By granting permissions to groups, rather than users, you can quickly grant or deny access to a wide range of resources with one change. For example, if your Human Resources department has hundreds of files, in dozens of directories throughout your network, you would have to add (or remove) an individual from the permissions from each of these folders when they join or depart the team. However, by granting the permissions instead to an HR group, and then giving the group permissions, you can now modify access simply by adding the user to, or removing them from, the group.

  • Require complex (strong) passwords for all users— If left to their own devices, many users select passwords that are easy for them to remember. However, this behavior results in passwords that are also very easy for malicious users to crack. By requiring complex passwords, consisting of upper- and lowercase letters, numbers, and special characters, the likelihood of a breach of security is greatly reduced.

  • Require Secure Sockets Layer (SSL) for HTTP, POP3, IMAP4, NNTP, and LDAP clients— The SSL encryption protects confidential or personal information sent between a client and a server. The SSL protocol uses a combination of public-key and symmetric-key encryption. Symmetric-key encryption is much faster than public-key encryption; however, public-key encryption provides better authentication techniques.

  • Set policies globally when possible— Rather than setting policies for individual users or groups, companywide policies should be set, whenever possible, at a global level to ensure compliance.

Securing Groups

An important step in securing your messaging environment is to secure distribution and mail-enabled security groups. For instance, CompanyABC is a medium-sized company with 1,000 users. To facilitate companywide notifications, the HR department created a distribution group called “All Employees,” which contains all 1,000 employees. By default, there are no message restrictions for new groups, meaning that anyone can send to this list. If CompanyABC has an Internet Mail SMTP Connector, this group will also have an SMTP address.

Consider what would happen if a new user sent an email to “All Employees” advertising a car for sale. Let’s take it one step further and imagine that the user sent it with a read receipt and delivery notification requested. Thousands of messages can now be generated from this one mistake and could negatively impact server performance.

Often, intentions are not as innocent as the new user simply making a mistake. Sending repeated email messages to mail-enabled groups with large memberships is sometimes used in an attempted denial of service (DoS) attack. The attacker sends an SMTP message to the “All Employees” group with a delivery notification receipt requested and spoofs the “Return to” address with the same SMTP address used for the distribution group. So, 1,000 messages are sent, and 1,000 delivery notifications are returned—each of which is then sent to all 1,000 users in the group! From this one spoofed message, the net effect is (1 + 1000) + (1000 * 1000)=1,001,001 messages! By spoofing the distribution list and including a delivery notification receipt, this single email results in over 1 million messages processed by the system.

Fortunately, for this easy problem, there is an even easier solution. Exchange Server 2007 allows you to configure message restrictions on your distribution groups.

To secure distribution groups so that only authenticated users can use it, do the following:

Open the Exchange Management Console.

In the console tree, under Recipient Configuration, click Distribution Group.

In the results pane, select the distribution group you want to modify, and then click Properties.

On the Mail Flow Settings tab, highlight Message Delivery Restrictions, and click Properties.

Ensure there is a check in the Require That All Senders Are Authenticated check box.

Click OK when finished, and then click OK again to exit the configuration screen.

In addition, an administrator can further restrict the usage of this distribution group by allowing only a specific individual or security group to use it.

To restrict access to the distribution group to a specific user or group, do the following:

Open the Exchange Management Console.

In the console tree, under Recipient Configuration, click Distribution Group.

In the results pane, select the distribution group you want to modify, and then click Properties.

On the Mail Flow Settings tab, highlight Message Delivery Restrictions, and click Properties.

Under Accept Messages From, select the Only Senders in the Following List option button.

Click Add, and select the users or groups that are to have permission to send to the distribution group.

Click OK when finished, and then click OK again to exit the configuration screen.

An additional option allows you to configure the distribution list to reject messages from an individual or from members of a group. This setting is also configured using the Message Delivery Restrictions page.

  •  Microsoft Exchange Server 2007 : Server and Transport-Level Security - Considering the Importance of Security in an Exchange Server 2007 Environment
  •  Security and Windows 8: Keeping Your PC Safe (part 2) - Windows SmartScreen, Using Windows SmartScreen, Action Center Improvements
  •  Security and Windows 8: Keeping Your PC Safe (part 1) - Windows Defender, Boot-Time Security
  •  Netgear EX6200 AC1200 Wi-fi Range Extender
  •  Windows 8 : Managing BitLocker and other policy-based mobility tools (part 5) - Configuring offline file synchronization, Configuring policy settings for device power
  •  Windows 8 : Managing BitLocker and other policy-based mobility tools (part 4) - Configuring policy settings for offline files
  •  Windows 8 : Managing BitLocker and other policy-based mobility tools (part 3) - Managing BitLocker at the command line
  •  Windows 8 : Managing BitLocker and other policy-based mobility tools (part 2) - Managing BitLocker at the command line
  •  Windows 8 : Managing BitLocker and other policy-based mobility tools (part 1) - Configuring BitLocker policies
  •  Connecting Us TP-LINK TL-PA6010 Test
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    - Messages forwarded by Outlook rule go nowhere
    - Create and Deploy Windows 7 Image
    - How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
    - Creating and using an unencrypted cookie in ASP.NET
    - Directories
    - Poor Performance on Sharepoint 2010 Server
    - SBS 2008 ~ The e-mail alias already exists...
    - Public to Private IP - DNS Changes
    - Send Email from Winform application
    - How to create a .mdb file from ms sql server database.......
    programming4us programming4us